GDPR is now just around the corner. We look at what impact it will have on your SME and how you should prepare.
Does May 25th, 2018 ring a bell? For anyone running an SME (or any other business), it should do. It’s the date when the EU’s General Data Protection Regulation (GDPR) will come into effect in the UK. The legislation is a radical overhaul of the existing EU data protection, now in its 23rd year and well past its sell-by date. The GDPR is designed to improve data security and give EU citizens far greater control over their data.
In the UK, many SME owners haven’t exactly been scrambling to get ready. Just a few weeks ago, a survey revealed that 39% of SMEs hadn’t even started their preparations. Some believed Brexit would exempt UK businesses, or that GDPR only applied to huge corporations — neither of which is true. For many, however, GDPR has probably just migrated itself down to the bottom of an endless to-do list.
So, if your SME is currently in the ‘unprepared’ camp, we’ve got good news and bad news.
Bad news first: there’s no getting round it, you really do have to prepare. Apart from sound ethical reasons for following the GDPR, the legislation comes equipped with some very large teeth. If you’re not compliant, you could face a fine of up to either 4% of your annual turnover or €20 million, whichever is the greater. Don’t think that the small scale of your business will save you — the GDPR applies from the largest concern to the tiniest. There have been some reports that fines may be lower for SMEs, but we wouldn’t want to test that.
There is good news, however. It’s late, but there’s still time to prepare and oodles of help available.
With all that in mind, let’s take a look at how you can get going with GDPR compliance.
First steps in tackling GDPR
There’s no shortage of information out there on GDPR, but when you’re starting out you might as well go directly to the source. The Information Commissioners Office (ICO)’s website is full of useful resources. In particular, they’ve produced a 12-point plan that gives a great overview on how to prepare. Although a summary document, it contains links to the further documentation you’ll need to tackle the nitty-gritty.
However, processing the ICO’s information does take time. Unfortunately, for the typical SME owner, that’s something that’s in short supply. If that’s the case, you might consider signing up for one of the many GDPR webinars and seminars that have sprung up. Of course, you’ll have to pay, but the savings in time (and stress!) may be worth it.
Whichever route you take, once you’ve got some understanding of the GDPR’s provisions, the next step will undoubtedly be an audit. This will assess your current situation and identify the areas in which you need to take action. Again, if you simply don’t have the time, there are companies who will undertake this for you.
When you complete the audit, you might be in for a pleasant surprise. If you’ve implemented the Data Protection Act, and already adopted best practice, then GDPR may not be too challenging.
Four pointers for SMEs
As noted above, it’s your responsibility to fully engage with the GDPR, and your key source has to be the ICO’s website. However, based on our own experience of working with SMEs, here are four key procedures to put in place.
1. Designate someone in charge of data protection
Some SMEs will need to formally appoint a Data Protection Officer. However, as this article helpfully points out, that’s not mandatory for all organisations. But at the least, you will need to designate someone with overall responsibility for data protection. No formal qualifications are needed for this, you just have to be familiar with the company’s data practices and the requirements of the GDPR. For the smallest companies, the designated person will probably be the owner.
2. Have a mechanism in place to report data breaches
3. Review any consent arrangements in your marketing.
4. Think how you will deal with individuals’ right to data.
As things stand, individuals have limited rights to the data that companies hold on them. However, this will be changing in May. The GDPR gives individuals a slew of new rights regarding their data. A customer can, for example, request access to what data is stored on them, ask to have it amended or erased completely, or sent to another company. How would your business cope with multiple requests like these? If you’re not even sure what data you hold on individuals, or if it’s scattered between different databases, that audit we mentioned becomes crucial.
How much impact on your business?
Whether the GDPR has a major impact on your business will depend on several factors. One is how you’ve treated data so far. As we pointed out above, companies that have worked hard at protecting data will have considerably less to do. The second is the type (and scale) of your operations: obviously, the GDPR will hit businesses with lots of direct marketing and interaction with prospects harder. But if you can’t change the past and you can’t change your sector, you can at least do something about the third factor: how much planning you’ve done. If the steps towards GDPR are taken systematically, and in plenty of time, the disruption needn’t be huge.
MV Marketing specialise in helping SMEs with a wide range of marketing activities. For flexible marketing solutions that don’t cost the Earth, please contact us today.